The Malwarebytes Report: The 2016 Malware Threat Landscape

The internet security company Malwarebytes just released its “State of Malware” report for the latter half of 2016. Highlights about individual malware threats are presented in this article. Information about the world-wide distribution of malware can be found in a companion piece about the global malware landscape. Interested readers are encouraged to read the complete report.

The report is based on data Malwarebytes collected from June to November 2016. The data include almost a billion malware detections from almost a million consumer and corporate Windows and Android devices distributed in more than 200 countries.

Ransomware

Ransomware dominated the threat landscape in 2016. In January of 2016, ransomware accounted for 18% of the global malware payloads delivered by spam and exploit kits. Ten months later in November 2016, ransomware had blossomed to account for 66% of malware payloads, an increase of 267%. Malwarebytes calls this “an unprecedented domination of the threat landscape.”

Malwarebytes points out two reasons why ransomware has become the malware of choice for cybercriminals. First, it’s very easy to use. Complete Ransomware as a Service solutions are offered on the dark net for as little as $39 which means you don’t need coding skills to launch a ransomware attack. Ransomware also offers a short and simple path to payment. There’s no need to find a buyer for stolen credit card or password information because the victim pays the ransom directly into the criminal’s account.

The second reason ransomware is popular is because it works. Ransomware encrypts the files on the victim’s computer with an algorithm that is virtually impossible to break. You either pay the ransom or lose the files. Most businesses and individuals pay the ransom.

Ransomware targets differed by location. North America suffered 81% of the world’s ransomware attacks directed at businesses and corporations. Europe, on the other hand, was hit by 51% of global ransomware attacks against individuals. For more information about the global distribution of malware see “The Malwarebytes Report: The Global Malware Landscape“.

While there are hundreds of variants of ransomware, three families dominated the scene in 2016. TeslaCrypt ruled until May when it was shut down and a master key that unlocked all its encrypted files was released. The respite was short lived. Locky quickly rose to prominence and was the predominant form of ransomware until November when Cerber took over. Cerber attacks were exponentially increasing at the end of 2016.

Ad fraud malware

Ad fraud malware was also widely distributed in 2016. This type of malware hijacks the user’s system to visit websites where it triggers clicks on ads thereby increasing income for the people who placed the ad. Criminals can deploy ad fraud malware on behalf of clients who are running legitimate ads, or they can place their own illegitimate ads and directly collect the advertising payments.

A particularly disturbing development in the ad fraud space was that ad fraud malware was being deployed using Kovter. Kovter is a sophisticated form of malware that can invade a user’s system by creating a registry key instead of downloading a file. Antivirus programs are usually better at detecting problem files than bogus registry keys. Kovter is also able to identify and deactivate security programs that are designed to root it out.

Botnets

Botnets are networks of computers infected with malware that allows the computers to be controlled as a group from a single Command and Control location. They’ve been around for a long time and are usually used to distribute spam or coordinate DDoS (Distributed Denial of Service) attacks.

Late 2016 saw a new form of botnet attack. Mirai is an open-source botnet that infects Internet-of-Things (IoT) devices like thermostats, webcams, home security systems and routers. On October 21, a Mirai botnet of roughly 100,000 IoT devices launched a DDoS attack on DYN, a company that manages the connections between domain names like forbes.com and the numeric address of the server that hosts the forbes.com website. The result was that many people in the US and Europe were unable to connect with a variety of websites.

A spoofed Word document designed to trick users into launching a malicious macro script. Credit: Malwarebytes

Attack vectors

How does malware get into a computer system? The culprit for IoT botnets like Mirai is largely the IoT industry itself which is notorious for failing to include security measures in its products.

Industry failures are not the main source of the problem, however, computer users are. Individuals don’t keep their security software up to date and consistently fail to follow basic and well-known security practices. Employees fall prey to social engineering tactics and breach corporate security systems by responding to phishing attacks.

There was an upsurge in phishing in the second half of 2016. One form of attack that became popular was inserting malicious script in a ZIP file attached to an email. If the ZIP file was opened and launched, the script executed and downloaded malware into the user’s system from a remote server.

Malicious macro scripts in Microsoft Office documents were also popular in 2016. The document arrives in an email that looks legitimate and sneakily invites the user to enable macros. If the user follows through, the script executes and downloads malware.

Looking ahead to 2017

The Malwarebytes report includes several predictions about what to expect in 2017. Ransomware isn’t going to go away; it’s too profitable and too easy to deploy. Malwarebytes expects to see an increase in ransomware that modifies a system’s Master Boot Record so that the user can’t boot their computer. Instead of losing encrypted files, you lose everything if you don’t pay the ransom.

Email will continue to be a primary attack vector. Phishing is likely to become even more sophisticated in terms of both social engineering practices and malware delivery systems. Malwarewbytes also predicts an increase in the deployment of exploit kits that have enhanced capabilities for avoiding detection.

Conclusion

It’s important to keep in mind that the nearly one billion malware infections that formed the basis for the Malwarebytes report were detected by one company over a six-month period. The total number of global malware infections for the year is likely to be at least an order of magnitude larger. Malware is an enormous problem.

The one thing that can be counted on for 2017 is that the problem is going to get worse. New ransomware variants, more sophisticated phishing techniques, and more dangerous exploit kit delivery systems will almost certainly appear as will new threat vectors that are not covered in the Malwarebytes report. The days of protecting your system with an anti-virus program are long over. The good news is that almost every consumer and corporation can do more than they’re already doing to increase their level of internet security.

(Disclosure. I have used self-purchased Malwarebytes security software for several years.)